使用Mysqli的安全代码 [英] Secure code with Mysqli
本文介绍了使用Mysqli的安全代码的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
此代码是否受保护,如果不能,您可以告诉我如何保护它.我使用Mysqli ...此外,我想向我展示如果不安全怎么利用它?
Is this code good proteceted, and if not could you tell me how to secure that. I use Mysqli...Also I would like to someone show me how this can be exploited if it is not secure?
if(isset($_POST['vrsta_predmeta']) AND !empty($_POST['vrsta_predmeta']) AND
isset($_POST['res_text']) AND isset($_POST['glavni_dug']) AND isset($_POST['res']) AND
isset($_POST['zaklj']) AND isset($_POST['povjerilac']) AND isset($_POST['duznik']) AND
isset($_POST['predmet_zaveden'])){
$racunob = trim($_POST['rac']);
$obrazlozenje = trim($_POST['obr']);
$ob_text = trim($_POST['res_ob']);
$res_text = trim($_POST['res_text']);
$vrsta_pre = trim($_POST['vrsta_predmeta']);
$izvrsenje = trim(strtolower($_POST['res']));
$obrazac = trim($_POST['zaklj']);
$povjerilac = $_POST['povjerilac'];
$duznik = $_POST['duznik'];
$datum= trim($_POST['predmet_zaveden']);
foreach($povjerilac as $key){
$lica = $db -> prepare("INSERT INTO p_lica(povjerilac, doc_br, dokument_vlasnik) VALUES('$key', '$dok_broj', '$ses_val')");
}
foreach($duznik as $key1){
$lica1 = $db -> prepare("INSERT INTO d_lica(duznik,doc_br, dokument_vlasnik) VALUES('$key1', '$dok_broj', '$ses_val')");
}
$insert_dok = $db -> prepare("INSERT INTO document_tbl(dokument_vlasnik,dokument_broj,vrsta_dokumenta,zakljucak, resenje_izvrsenja,datum,resenje_text,obrazlozenje,obtext,racunob) VALUES('$ses_val','$dok_broj', '$vrsta_pre','$obrazac','$izvrsenje','$datum','$res_text','$obrazlozenje','$ob_text','$racunob')");
if($lica -> execute() AND $insert_dok -> execute() AND $lica1 -> execute()){
$lica -> close();
$lica1 -> close();
$insert_dok -> close();
echo '<script>new Messi(\'Dokument uspjesno dodat.\', {title: \'Obavjestenje\', titleClass: \'success\', buttons: [{id: 0, label: \'Close\', val: \'X\'}]});</script>';
header('location:login.php');
}else{
echo '<script>new Messi(\'Dokument uspjesno dodat.\', {title: \'Obavjestenje\', titleClass: \'anim warning\', buttons: [{id: 0, label: \'Close\', val: \'X\'}]});</script>';
}
}
推荐答案
即使您使用的是准备好的语句,您当前仍将用户输入直接附加到查询中.看一下准备好的语句的文档.关于为什么以及如何使用准备好的语句,有很多示例和清晰的解释.
Even though you are using prepared statements, you are currently directly appending user input to your query. Take a look at the documentation of prepared statements. There are a lot of examples and clear explanation as to why and how you should use prepared statements.
这篇关于使用Mysqli的安全代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
